merge main

Author: aphralG

.github/workflows/mend.yml

@@ -0,0 +1,33 @@
+name: Mend
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+*"
+    paths-ignore:
+      - docs/**
+  pull_request:
+    branches:
+      - main
+      - release-*
+    paths-ignore:
+      - docs/**
+
+concurrency:
+  group: ${{ github.ref_name }}-mend
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  mend:
+    if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || (github.event_name == 'push' && github.event.repository.fork == false) }}
+    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
+    secrets: inherit
+    with:
+      product_name: nginx-agent-v3_${{ github.ref_name }}
+      project_name: nginx-agent-v3

.github/workflows/upload-release-assets.yml

@@ -6,7 +6,7 @@ on:
       pkgRepo:
         description: "Source repository to pull packages from"
         type: string
-        default: ""
+        default: "packages.nginx.org"
       pkgVersion:
         description: 'Agent version'
         type: string
@@ -57,20 +57,31 @@ jobs:
         with:
           ref: ${{ inputs.releaseBranch }}
 
-      - name: Azure Login
-        if: ${{ inputs.uploadAzure == true }}
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-
       - name: Download Packages
         run:
           |
           echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
-          PKG_REPO=${{inputs.pkgRepo}} CERT=${{secrets.PUBTEST_CERT}} KEY=${{secrets.PUBTEST_KEY}} DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
+          echo "${{secrets.PUBTEST_CERT}}" > pubtest.crt
+          echo "${{secrets.PUBTEST_KEY}}" > pubtest.key
+          PKG_REPO=${{inputs.pkgRepo}} CERT=pubtest.crt KEY=pubtest.key DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
           find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"
 
-      - name: Azure Upload Release Packages
+      - name: GitHub Upload
+        if: ${{ needs.vars.outputs.github_release == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # clobber overwrites existing assets of the same name
+        run: |
+          gh release upload --clobber v${{ inputs.pkgVersion }} \
+            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")
+
+      - name: Azure Login
+        if: ${{ inputs.uploadAzure == true }}
+        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Azure Upload
         if: ${{ inputs.uploadAzure == true }}
         uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
         with:
@@ -88,15 +99,6 @@ jobs:
             done
 
       - name: Azure Logout
+        if: ${{ inputs.uploadAzure == true }}
         run: |
-          az logout
-        if: always()
-
-      - name: GitHub Upload Release Assets
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # clobber overwrites existing assets of the same name
-        run: |
-          gh release upload --clobber v${{ inputs.pkgVersion }} \
-            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")
+          az logout || exit 0

api/grpc/mpi/v1/command.pb.go

@@ -296,7 +296,7 @@ message InstanceRuntime {
     // the process identifier
     int32 process_id = 1;
     // the binary path location
-    string binary_path = 2 [(buf.validate.field).string.prefix = "/"];
+    string binary_path = 2 [(buf.validate.field).string.pattern = "^\\/.*|^$"];
     // the config path location
     string config_path = 3 [(buf.validate.field).string.pattern = "^\\/.*|^$"];
     // more detailed runtime objects
@@ -362,6 +362,8 @@ message NGINXAppProtectRuntimeInfo {
     string attack_signature_version = 2;
     // Threat campaign version
     string threat_campaign_version = 3;
+    // Enforcer engine version
+    string enforcer_engine_version = 4;
 }
 
 // A set of actions that can be performed on an instance

api/grpc/mpi/v1/command.pb.validate.go

@@ -1072,6 +1072,7 @@ A set of runtime NGINX App Protect settings
 | release | [string](#string) |  | NGINX App Protect Release |
 | attack_signature_version | [string](#string) |  | Attack signature version |
 | threat_campaign_version | [string](#string) |  | Threat campaign version |
+| enforcer_engine_version | [string](#string) |  | Enforcer engine version |
 
 
 

api/grpc/mpi/v1/command.proto

@@ -37,7 +37,7 @@ const (
 	// 2024-11-16T17:19:24+00:00 ---> Nov 16 17:19:24
 	timestampConversionExpression = `'EXPR(let timestamp = split(split(body, ">")[1], " ")[0]; ` +
 		`let newTimestamp = ` +
-		`timestamp matches "(\\d{4})-(\\d{2})-(\\d{2})T(\\d{2}):(\\d{2}):(\\d{2})([+-]\\d{2}:\\d{2}|Z)" ` +
+		`timestamp matches "(\\d{4})-(\\d{2})-(0\\d{1})T(\\d{2}):(\\d{2}):(\\d{2})([+-]\\d{2}:\\d{2}|Z)" ` +
 		`? (let utcTime = ` +
 		`date(timestamp).UTC(); utcTime.Format("Jan  2 15:04:05")) : date(timestamp).Format("Jan 02 15:04:05"); ` +
 		`split(body, ">")[0] + ">" + newTimestamp + " " + split(body, " ", 2)[1])'`

docs/proto/protos.md

@@ -62,9 +62,9 @@ const (
 	DefCollectorTLSCAPath   = "/var/lib/nginx-agent/ca.pem"
 	DefCollectorTLSSANNames = "127.0.0.1,::1,localhost"
 
-	DefCollectorBatchProcessorSendBatchSize    = 8192
-	DefCollectorBatchProcessorSendBatchMaxSize = 0
-	DefCollectorBatchProcessorTimeout          = 200 * time.Millisecond
+	DefCollectorBatchProcessorSendBatchSize    = 1000
+	DefCollectorBatchProcessorSendBatchMaxSize = 1000
+	DefCollectorBatchProcessorTimeout          = 30 * time.Second
 
 	DefCollectorExtensionsHealthServerHost      = "localhost"
 	DefCollectorExtensionsHealthServerPort      = 13133

internal/collector/otel_collector_plugin.go

@@ -39,18 +39,17 @@ type (
 	}
 
 	InstanceWatcherService struct {
-		processOperator              process.ProcessOperatorInterface
-		nginxConfigParser            parser.ConfigParser
-		executer                     exec.ExecInterface
-		enabled                      *atomic.Bool
-		agentConfig                  *config.Config
-		instanceCache                map[string]*mpi.Instance
-		nginxConfigCache             map[string]*model.NginxConfigContext
-		instancesChannel             chan<- InstanceUpdatesMessage
-		nginxConfigContextChannel    chan<- NginxConfigContextMessage
-		nginxParser                  processParser
-		nginxAppProtectProcessParser processParser
-		cacheMutex                   sync.Mutex
+		processOperator           process.ProcessOperatorInterface
+		nginxConfigParser         parser.ConfigParser
+		executer                  exec.ExecInterface
+		enabled                   *atomic.Bool
+		agentConfig               *config.Config
+		instanceCache             map[string]*mpi.Instance
+		nginxConfigCache          map[string]*model.NginxConfigContext
+		instancesChannel          chan<- InstanceUpdatesMessage
+		nginxConfigContextChannel chan<- NginxConfigContextMessage
+		nginxParser               processParser
+		cacheMutex                sync.Mutex
 	}
 
 	InstanceUpdates struct {
@@ -75,16 +74,15 @@ func NewInstanceWatcherService(agentConfig *config.Config) *InstanceWatcherServi
 	enabled.Store(true)
 
 	return &InstanceWatcherService{
-		agentConfig:                  agentConfig,
-		processOperator:              process.NewProcessOperator(),
-		nginxParser:                  NewNginxProcessParser(),
-		nginxAppProtectProcessParser: NewNginxAppProtectProcessParser(),
-		nginxConfigParser:            parser.NewNginxConfigParser(agentConfig),
-		instanceCache:                make(map[string]*mpi.Instance),
-		cacheMutex:                   sync.Mutex{},
-		nginxConfigCache:             make(map[string]*model.NginxConfigContext),
-		executer:                     &exec.Exec{},
-		enabled:                      enabled,
+		agentConfig:       agentConfig,
+		processOperator:   process.NewProcessOperator(),
+		nginxParser:       NewNginxProcessParser(),
+		nginxConfigParser: parser.NewNginxConfigParser(agentConfig),
+		instanceCache:     make(map[string]*mpi.Instance),
+		cacheMutex:        sync.Mutex{},
+		nginxConfigCache:  make(map[string]*model.NginxConfigContext),
+		executer:          &exec.Exec{},
+		enabled:           enabled,
 	}
 }
 
@@ -265,7 +263,7 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 ) {
 	iw.cacheMutex.Lock()
 	defer iw.cacheMutex.Unlock()
-	nginxProcesses, nginxAppProtectProcesses, err := iw.processOperator.Processes(ctx)
+	nginxProcesses, err := iw.processOperator.Processes(ctx)
 	if err != nil {
 		return instanceUpdates, err
 	}
@@ -280,10 +278,6 @@ func (iw *InstanceWatcherService) instanceUpdates(ctx context.Context) (
 		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
 	}
 
-	nginxAppProtectInstances := iw.nginxAppProtectProcessParser.Parse(ctx, nginxAppProtectProcesses)
-	for _, instance := range nginxAppProtectInstances {
-		instancesFound[instance.GetInstanceMeta().GetInstanceId()] = instance
-	}
 	newInstances, updatedInstances, deletedInstances := compareInstances(iw.instanceCache, instancesFound)
 
 	instanceUpdates.NewInstances = newInstances

internal/config/defaults.go

@@ -28,7 +28,7 @@ func TestInstanceWatcherService_checkForUpdates(t *testing.T) {
 	nginxConfigContext := testModel.ConfigContext()
 
 	fakeProcessWatcher := &processfakes.FakeProcessOperatorInterface{}
-	fakeProcessWatcher.ProcessesReturns(nil, nil, nil)
+	fakeProcessWatcher.ProcessesReturns(nil, nil)
 
 	fakeProcessParser := &instancefakes.FakeProcessParser{}
 	fakeProcessParser.ParseReturns(map[string]*mpi.Instance{
@@ -44,7 +44,6 @@ func TestInstanceWatcherService_checkForUpdates(t *testing.T) {
 	instanceWatcherService := NewInstanceWatcherService(types.AgentConfig())
 	instanceWatcherService.processOperator = fakeProcessWatcher
 	instanceWatcherService.nginxParser = fakeProcessParser
-	instanceWatcherService.nginxAppProtectProcessParser = fakeProcessParser
 	instanceWatcherService.nginxConfigParser = fakeNginxConfigParser
 	instanceWatcherService.instancesChannel = instanceUpdatesChannel
 	instanceWatcherService.nginxConfigContextChannel = nginxConfigContextChannel
@@ -132,7 +131,7 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(tt *testing.T) {
 			fakeProcessWatcher := &processfakes.FakeProcessOperatorInterface{}
-			fakeProcessWatcher.ProcessesReturns(nil, nil, nil)
+			fakeProcessWatcher.ProcessesReturns(nil, nil)
 
 			fakeProcessParser := &instancefakes.FakeProcessParser{}
 			fakeProcessParser.ParseReturns(test.parsedInstances)
@@ -144,7 +143,6 @@ func TestInstanceWatcherService_instanceUpdates(t *testing.T) {
 			instanceWatcherService := NewInstanceWatcherService(types.AgentConfig())
 			instanceWatcherService.processOperator = fakeProcessWatcher
 			instanceWatcherService.nginxParser = fakeProcessParser
-			instanceWatcherService.nginxAppProtectProcessParser = fakeProcessParser
 			instanceWatcherService.instanceCache = test.oldInstances
 			instanceWatcherService.executer = fakeExec